9 replies

Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003. Overnight and today, it has become clear that a kill switch was included in the code. When it detects a specific web domain exists—created earlier today—it halts the spread of malware.

More information on WannaCry from a Webroot perspective can be found here.

Did you like this post? Give it a like! Did it answer your question? Mark it as the correct answer!

We can't disclose our detections rules as it would compromise the security they provide if they were made public. However, I can share that these are the top 25 variants of Wannacry that we've seen blocked. Some of these individual MD5s have been seen on hundreds of PCs - mostly in Russia.

Can you please provide more information on how we are protected? I get that we need to ensure patching is up to date and our team has identified where servers/workstations need patching but I'm curious to know if there are ways to verify if wannacry is detected and quarantined.

As the second wave of WannaCry spreads across the globe, the latest estimate from the leading European police agency Europol suggests the malware has hit over 200,000 victims over 150 countries. You can catch up on some of the latest news here.

Although a second kill switch has been identified and registered today, there is no certainty that this second kill switch will address all malware variants. Europol continues to recommend that one of the best defenses is to take advantage of the patches released by Microsoft.

Webroot currently has strong protection in place for WannaCry, and has already reviewed and fortified its protection and detection routines to protect its users against future variants that may appear. As Webroot sees every new executable file introduced on systems where Webroot SecureAnywhere is installed, we get rapid insight into all types of new malware.

This allows us to quickly create and/or improve upon our best-in-class detection mechanisms for zero day threats.

Over the past couple of days I've seen a few questions coming in from the community about WannaCry and wanted to share with the rest of you:

How does Webroot detect and prevent infection by Wannacry or other Trojans?

We have proprietary detection systems in place. In the case of WannaCry, our Webroot SecureAnywhere (WSA) detected and blocked it just like any other malware that we see. What was unique about this malware was its distribution method. You can find additional information about how WSA works on our data sheet here.

Does this mean that no customer running Webroot has been, or indeed will be, affected by WannaCry?

It takes time to learn about every threat and learn how to protect against it. This being said, our call volume has not been impacted at all by this threat. However, if someone has an unpatched system, there is potential for infection due to the vulnerability within the OS mentioned, read this article for details. We also have other tools to assist in auto-remediating malware.As a reminder, to prevent this threat from propagating within your environment, in any way, please review our Ransomware Prevention Guide and implement the suggestions listed.

Do you have evidence that the initial infection vector was email?

While our threat teams are still actively researching the threat, we know it is propagating by probing and exploiting vulnerable systems.

4. At what point in time did Webroot detect this new version of WannaCry?

Cookie policy

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.